Sorry to have missed this - I was out of the office this morning.
Generally speaking, all users should authenticate when
submitting/sending emails. So long as they all authenticate, there is no
reason to have any entries in tcp.smtp beyond the last default record
(beginning with : ). I even configure squirrelmail to authenticate, in
which case the 127.: line is unnecessary too.
I recommend removing all but the last (default) line in tcp.smtp, unless
you have some other good reason for having them. For instance, I use
them for allowing certain senders (financial institutions such as AmEx
and JPMChase) to send with no scanning, as they sometimes get false
positives for phishing attempts when sanesecurity is used. When doing
this, I only use addresses as specified in their SPF record. Using
address blocks such as 128.: for instance would be a very bad practice.
The sender_nocheck variable has nothing to do with authentication - it's
only a control for chkuser, which checks for MX and a few other things
related to email addresses.
I hope that clarifies things.
--
-Eric 'shubes'
On 03/27/2013 12:59 PM, Rvaught wrote:
I have been looking in the qmail smtp log and quail mail smtp queue. The
user was receiving failed delivery messages that showed the sender as
user@ourdomain@ip-address . I think it has stop now . I am now longer seeing
any in the log or queque . In the log it would show the user's email address
and a foreign ip address and say account allow to relay . None of the IP
where from 128 .
Some up the earlier suggestions may have work and I am too much of a novice
to have seen it .
I will be continuing to monitor it .
Thanks for everyones help.
-----Original Message-----
From: Jon Myers [mailto:myer...@alfredstate.edu]
Sent: Wednesday, March 27, 2013 3:02 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] Relaying
yes, it should let you connect, as thats how other mail servers out on the
internet connect and send mail to people within your domain.
I was thinking you could manually talk the SMTP protocol and try relaying to
domains outside your mail server to see if it says relaying denied.
Can you find the IP that is relaying the spam? Does it indeed start with
128? How are you figuring that the one particular email address is doing
the spamming, just because it is in the From address, or what?
At 02:04 PM 3/27/2013, you wrote:
When I tried telnet to the mail server from outside the network on port
25.
It let me connect with out authenticating. Should it have ? how can I
stop this .
-----Original Message-----
From: Jon Myers [mailto:myer...@alfredstate.edu]
Sent: Wednesday, March 27, 2013 1:12 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] Relaying
Did you really REMOVE sender_nocheck, or did you just set it to 0? I'm
guessing you should have just set it to 0.
Also, by nature, users should be allowed to relay, as thats how they
send mail, but of course they need to authenticate first, unless they
are coming from the local network, in which you can typically bypass
checking.
After editing /etc/tcprules.d/tcp.smtp be sure to rebuild with
"/etc/init.d/qmail cdb" (Sorry if I'm pointing out the obvious, just
never know who knows what) Also, you specify:
128.:allow,RELAYCLIENT=""
which means anyone from 128.0.0.0/8 can freely relay. Is that really
what you want? The whole class A?
If you telnet into your mail server from outside your network, can you
still relay without even logging in as a user? (Do you speak fluent
SMTP?)
At 12:44 PM 3/27/2013, Rvaught wrote:
I tried removing sender_nocheck=1 and I am still relaying outside
mail on that account.
From: Helmut Fritz [mailto:hel...@fritz.us.com]
Sent: Wednesday, March 27, 2013 12:18 PM
To: qmailtoaster-list@qmailtoaster.com
Subject: RE: [qmailtoaster] Relaying
I believe sender_nockeck=1 is the issue? I think that turns off
authentication for senders. others with a lot more expertise in tcp
rules than I will hopefully confirm.
From: Rvaught
[<mailto:rvau...@libertycasting.com>mailto:rvau...@libertycasting.com
]
Sent: Wednesday, March 27, 2013 8:54 AM
To:
<mailto:qmailtoaster-list@qmailtoaster.com>qmailtoaster-list@qmailtoa
ster.c
om
Subject: [qmailtoaster] Relaying
Somehow I have something setup wrong now and I am having spam being
relayed thru my email server on one email account . I have changed
their password. I think I have something wrong in my tcprules.d
file . I want to allow local users to send mail but block relaying.
I have :
127.:allow,RELAYCLIENT=""
192.:allow,RELAYCLIENT=""
128.:allow,RELAYCLIENT=""
:allow,BADMIMETYPE="",SENDER_NOCHECK="1",CHKUSER_RCPT_FORMAT="0",CHKU
SER_SE
NDER_FORMAT="0",BADLOADERTYPE="M",CHKUSER_RCPTLIMIT="75",CHKUSER_WRONGR
CPTLI MIT="50",QMAILQUEUE="/var/qmail/bin/simscan"
192 and 128 are my local networks.
Rick
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail:
qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
---------------------------------------------------------------------
To unsubscribe, e-mail: qmailtoaster-list-unsubscr...@qmailtoaster.com
For additional commands, e-mail: qmailtoaster-list-h...@qmailtoaster.com
